Google Drive May Give Access To Full Google Account
Google Drive is Google's cloud storage service that has been making the rounds on the Internet ever since it launched a few days ago. It basically gives every Google user who signs up for the service 5 Gigabytes of free online storage that can be used to synchronize local files with the cloud, and access the files on the web as well.
Google Drive for PC or Mac are programs that Google Drive users can install on their systems to sync files on the operating system with the cloud.
The application runs in the background and synchronizes all files and folders that are moved or copied into the Google Drive root folder on the system, or on other systems connected to the Drive account.
Drive users may notice that some files hosted on Google Drive have a Google specific file extension. These have been created by Google Docs, Google's document management and editing service. A click on one of those files opens the select file in the default browser. They are basically just shortcuts pointing to Google Drive, which you see when you look at the size of the documents (which is 1KB on my system).
What many Google Drive users do not know: It also logs the user into the connected Google user account. The issue here? The login gives access to all other Google services as well.
One could say that this is not a big issue, or even an intended useful feature as it makes the process more comfortable. Others might feel that this is a security related issue, as everyone with access to the local system can access all Google services of the account, including Google Mail, Webmaster Tools, Google Docs or YouTube without further authentication.
It is definitely something to consider, especially when laptops or mobile computers are used. If you are losing your laptop, or if it gets stolen, the thief could gain access to the full Google account this way if Google Drive is installed and running on the system.
You may now wonder how other services are handling this? Microsoft SkyDrive displays a login prompt the first time the go to skydrive.com option is selected in a session. Dropbox opens the file listing right away, but it is less of a issue here as there are no other services users can switch to. And the files are also available directly on the system. (via Caschy)
The solution? Either do not run Google Drive automatically on your system, or do not use it at all if you think that this is a security issue.
Advertisement
There are more security concerns (inluding ghacks “find” that opening google file extensions grants access to google account) on this Google product forum page. http://productforums.google.com/forum/#!topic/drive/SpN5gNF33Ys
In that group there are other valid offline Google Drive functionality concerns like unnecessary file creation and/or duplication and file deletion duplication (online offline) that are very interesting.
Q./ Why did Google release a synchable offline Drive product when it wasn’t ready?
A./ It’s free, why not, users can unwittingly beta test it in real environments.
Hi Martin,
Thanks for highlighting this issue, as a result of which I stopped using Drive.
Do you know if there has been any improvement in the situation? I’ve trawled the web but found no other mention of this problem.
Many thanks
Gerry, no change. You are still automatically logged in even if you have not been before.
Thanks for the article Martin, I found this out this morning and yours is the only resource that has brought this issue up. It means anyone who can navigate to the folder where my G-drive synched files are can then click on a file that has been converted to a Google format and it will then open up my default browser then log them into my Google account (how does it do that?).
This is a terrible breech of security for my computer and anyone elses computer where this occurs. I think the problem is that “How else can they achieve the ability to ‘synch’ files on my computer and in my Docs/Drive account?”
I wish I could offer a solution but I can’t figure one, these instructions regarding synching did not work for me (no “settings” option) http://support.google.com/drive/bin/answer.py?hl=en&answer=2375083&topic=2463299&ctx=topic
PS: A more accurate header would be: Google Drive Gives Access To Full Google Account.
More accurate still: “Google Drive allows unauthenticated (no password required) access to full Google Account.”
Thanks for the article. This is a huge drawback. I’m amazed there isn’t widespread outrage at it. I noticed it right away, yet yours is the only article I’ve found warning people of this ridiculous “feature”.
One should have the option of automatic Google account log-in (in the web) or having to log in whenever the program is launched.
Not running the program automatically is hardly a solution, since anyone can still launch it manually.
This is a pity, because I otherwise love the service and its neat integration with Android.
You are right, not running it does not change anything, as it starts up without authorization. The only viable option seems to be to select the disconnect account option, so that it is necessary to sign in to Google first before you can access the Google account on the web. An option to automatically log out would be useful, as would be if Google would add authorization just like Microsoft does with SkyDrive.
I like very well this programme.
I use Gmail to manage almost of my confidential information so that open Google Drive app automatically on the start-up will potentially create a rick. It may let your login/online account information go, especially in case the strangers know that “feature”. I love Google but I think I will not use Google Drive for store data. Just Dropbox for sure :-).
Some friends of mine are hyper excited because of Google Drive. I, as a dropbox user, find Google Drive not necessary for me, at least for now. Call me paranoic but the TOS makes me wonder how evil Google is. I’m sorry but GMail, AdSense, AdWords, Analytics, GDrive and Google knows too much about me.
I even trust SkyDrive more than Google Drive. Am I the only one feeling too worried about the scope of Google’s privacy terms?
This is a very serious issue.
In Australia for example people in the Financial Services industry need to understand that even using Gmail for their business emails is not only non-compliant but also illegal as they will be breaking the privacy act by effectively using a system which allows an unauthorized party to gain access to confidential information.
And now we have the situation where Google Drive goes even further in potentially enabling a code of conduct breech for any unwitting Adviser.
Not good at all !!
In Australia people in the Financial Services industry need to understand that even using Microsoft’s office 365 or SkyDrive is not only non-compliant but also illegal as they will be breaking the privacy act by effectively using a system which allows Microsoft to hand over all their data to US authorities even when the serves are not on US soil. /s
Correct !!
Personally I think companies such as Google and Microsoft etc need to be forced to provide services in suhc a manner that they obey local laws.
And before anyone jumps on me, how they do that is NOT my problem :-)
Google is like Pedo Bear. Google lures innocent minded people with free apps where Pedo Bear lures innocent kids with free candy.
Im in love with Google Drive. But Dropbox defo works just as well!
So if i did happen to loose the device that I have set up for gdrive, could I just not go to another computer and change my google password and not worry about anyone gaining access to my data?
I lost my ipad this weekend. Changed my gmail password, but 48 hours later goggle drive still lets me use the old password on my phone. As well as the new password.
No response from google either.
Jessie, if you notice it in time, then this could work. I have not tried it though. IIRC Dropbox for instance still allowed you to log in even if you have changed the password, you had to cut off the connection in the Dropbox interface. I think they have changed the way this is handled.
wwwwaaoaooooo is true… I was trying… Google WHAT DO U DOING??
Thanks, very good point.
Blast the overintegration of services.
I still think the biggest reason to NOT use this service is outlined is your previous article – whatever you share via the Google cloud becomes theirs to use.
Using my laptop for both business and personal – I’m not giving Google my proprietary work for free!
I know it’s highly unlikely that they will go looking because of the volume; but I bet if you become known – say you create a new product that is a hit – they will be looking to see if your code is on their servers.